-
assigned issue to
- edited description
Allow for more cryptographic agility? Use of client_secret as key is tied directly to HS256, HS384 and HS512 algos.
Issue #663
resolved
Step 5 in http://openid.net/specs/openid-connect-messages-1_0.html#id.token.verification has "If the alg parameter of the JWT header is one of HS256, HS384, or HS512, the client_secret for the client_id contained in the aud (audience) Claim is used as the key to validate the signature."
Perhaps something like the following to replace the first part of that sentence would accomplish the same thing but more generally allow for the use of a SHA3 HMAC or whatever else might come along in the future, "If the alg parameter of the JWT header indicates the use of a MAC based algorithm, the client_secret..."
Comments (3)
-
-
Accept
-
- changed status to resolved
Fixed
#663Sec 5.2 to allow for non SHA2 HMAC algs→ <<cset e4e2130456d3>>
- Log in to comment
Agreed